Nagios Xi Security Vulnerabilities - CVSS Score 9 - 10
Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.
9.8CVSS
9.5AI Score
0.431EPSS
An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.
9.8CVSS
9.5AI Score
0.006EPSS
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
9.8CVSS
9.4AI Score
0.32EPSS
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
9.8CVSS
9.6AI Score
0.101EPSS
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that ...
9.8CVSS
9.8AI Score
0.014EPSS
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
9.8CVSS
9.9AI Score
0.008EPSS
An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.
9.8CVSS
9.5AI Score
0.002EPSS
Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.
9.8CVSS
9.4AI Score
0.065EPSS
Creation of a Temporary Directory with Insecure Permissions in Nagios XI 5.7.5 and earlier allows for Privilege Escalation via creation of symlinks, which are mishandled in getprofile.sh.
9.8CVSS
9.4AI Score
0.08EPSS
Improper access and command validation in the Nagios Docker Config Wizard before 1.1.2, as used in Nagios XI through 5.7, allows an unauthenticated attacker to execute remote code as the apache user.
9.8CVSS
9.8AI Score
0.002EPSS
9.8CVSS
9.5AI Score
0.002EPSS
9.8CVSS
9.4AI Score
0.002EPSS
9.8CVSS
9.5AI Score
0.002EPSS
9.8CVSS
9.4AI Score
0.002EPSS
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
9.8CVSS
9.7AI Score
0.003EPSS
Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.
9.8CVSS
9.8AI Score
0.002EPSS
Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool.
9.8CVSS
9.7AI Score
0.086EPSS
Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
9.8CVSS
9.8AI Score
0.413EPSS